commit f0e5311aa8022107d63c54e2f03684ec097d1394 upstream.
Most firmware names are hardcoded strings, or are constructed from fairly
constrained format strings where the dynamic parts are just some hex
numbers or such.
However, there are a couple codepaths in the kernel where firmware file
names contain string components that are passed through from a device or
semi-privileged userspace; the ones I could find (not counting interfaces
that require root privileges) are:
- lpfc_sli4_request_firmware_update() seems to construct the firmware
filename from "ModelName", a string that was previously parsed out of
some descriptor ("Vital Product Data") in lpfc_fill_vpd()
- nfp_net_fw_find() seems to construct a firmware filename from a model
name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I
think parses some descriptor that was read from the device.
(But this case likely isn't exploitable because the format string looks
like "netronome/nic_%s", and there shouldn't be any *folders* starting
with "netronome/nic_". The previous case was different because there,
the "%s" is *at the start* of the format string.)
- module_flash_fw_schedule() is reachable from the
ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as
GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is
enough to pass the privilege check), and takes a userspace-provided
firmware name.
(But I think to reach this case, you need to have CAP_NET_ADMIN over a
network namespace that a special kind of ethernet device is mapped into,
so I think this is not a viable attack path in practice.)
Fix it by rejecting any firmware names containing ".." path components.
For what it's worth, I went looking and haven't found any USB device
drivers that use the firmware loader dangerously.
Cc: stable@vger.kernel.org
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Fixes: abb139e75c ("firmware: teach the kernel to load firmware files directly from the filesystem")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Link: https://lore.kernel.org/r/20240828-firmware-traversal-v3-1-c76529c63b5f@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 8744e80bcb.
Revert "firmware_loader: add /odm/firmware to fw_path[]"
This reverts commit f830bcfc62.
Revert "firmware_loader: add /vendor/firmware to fw_path[]"
This reverts commit eff67caa90.
commit 93b8ddc54507a227087c60a0013ed833b6ae7d3c upstream.
The current implementation only calls chained_irq_enter() and
chained_irq_exit() if it detects pending interrupts.
```
for (i = 0; i < info->stride; i++) {
uregmap_read(info->map, id_reg + 4 * i, ®);
if (!reg)
continue;
chained_irq_enter(parent_chip, desc);
```
However, in case of GPIO pin configured in level mode and the parent
controller configured in edge mode, GPIO interrupt might be lowered by the
hardware. In the result, if the interrupt is short enough, the parent
interrupt is still pending while the GPIO interrupt is cleared;
chained_irq_enter() never gets called and the system hangs trying to
service the parent interrupt.
Moving chained_irq_enter() and chained_irq_exit() outside the for loop
ensures that they are called even when GPIO interrupt is lowered by the
hardware.
The similar code with chained_irq_enter() / chained_irq_exit() functions
wrapping interrupt checking loop may be found in many other drivers:
```
grep -r -A 10 chained_irq_enter drivers/pinctrl
```
Cc: stable@vger.kernel.org
Signed-off-by: Sergey Matsievskiy <matsievskiysv@gmail.com>
Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/20241012105743.12450-2-matsievskiysv@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Add both /vendor/firmware and /odm/firmware to firmware loader search
paths because Oplus like to store their firmware in /odm, also add
the /vendor path so we don't need to specify /vendor/firmware in
firmware_class.path boot arg.
[ Upstream commit c66be905cda24fb782b91053b196bd2e966f95b7 ]
step_after_suspend_test fails with device busy error while
writing to /sys/power/state to start suspend. The test believes
it failed to enter suspend state with
$ sudo ./step_after_suspend_test
TAP version 13
Bail out! Failed to enter Suspend state
However, in the kernel message, I indeed see the system get
suspended and then wake up later.
[611172.033108] PM: suspend entry (s2idle)
[611172.044940] Filesystems sync: 0.006 seconds
[611172.052254] Freezing user space processes
[611172.059319] Freezing user space processes completed (elapsed 0.001 seconds)
[611172.067920] OOM killer disabled.
[611172.072465] Freezing remaining freezable tasks
[611172.080332] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
[611172.089724] printk: Suspending console(s) (use no_console_suspend to debug)
[611172.117126] serial 00:03: disabled
some other hardware get reconnected
[611203.136277] OOM killer enabled.
[611203.140637] Restarting tasks ...
[611203.141135] usb 1-8.1: USB disconnect, device number 7
[611203.141755] done.
[611203.155268] random: crng reseeded on system resumption
[611203.162059] PM: suspend exit
After investigation, I noticed that for the code block
if (write(power_state_fd, "mem", strlen("mem")) != strlen("mem"))
ksft_exit_fail_msg("Failed to enter Suspend state\n");
The write will return -1 and errno is set to 16 (device busy).
It should be caused by the write function is not successfully returned
before the system suspend and the return value get messed when waking up.
As a result, It may be better to check the time passed of those few
instructions to determine whether the suspend is executed correctly for
it is pretty hard to execute those few lines for 5 seconds.
The timer to wake up the system is set to expire after 5 seconds and
no re-arm. If the timer remaining time is 0 second and 0 nano secomd,
it means the timer expired and wake the system up. Otherwise, the system
could be considered to enter the suspend state failed if there is any
remaining time.
After appling this patch, the test would not fail for it believes the
system does not go to suspend by mistake. It now could continue to the
rest part of the test after suspend.
Fixes: bfd092b8c2 ("selftests: breakpoint: add step_after_suspend_test")
Reported-by: Sinadin Shan <sinadin.shan@oracle.com>
Signed-off-by: Yifei Liu <yifei.l.liu@oracle.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
/odm/firmware must be put before /vendor/firmware, otherwise the wrong
firmware will be loaded.
01-01 09:00:31.514 1333 1333 E msm_cvp ab00000.qcom,cvp: invalid firmware metadata
01-01 09:00:31.514 1333 1333 I msm_cvp : err: __load_fw_to_memory: error -22 loading "evass.mbn"
01-01 09:00:31.514 1333 1333 I msm_cvp : err: Failed to download firmware
Signed-off-by: Kazuki Hashimoto <kazukih0205@gmail.com>
On kernel startup, the cfg80211 core hint code will try to load
regulatory.db unconditionally, which can increase kernel boot
time on some platforms where no regulatory.db is available.
Enclose all the related code for regulatory.db manipulation
with a macro CONFIG_CORE_REGDB so any platform with no
regulatory.db will not be affected by this.
NOTE: it is expected that any platform with no regulatory.db
should have self-managed regulatory database supported
by wlan module.
Change-Id: I9fd96012a4c47c26be8c223fc4ee545dac8f640b
Signed-off-by: wadesong <wadesong@codeaurora.org>
[ Upstream commit e0f5a8e74be88f2476e58b25d3b49a9521bdc4ec ]
commit e96c6b8f212a ("memblock: report failures when memblock_can_resize
is not set") introduced the usage of panic, which is not defined in
memblock test.
Let's define it directly in panic.h to fix it.
Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
CC: Song Shuai <songshuaishuai@tinylab.org>
CC: Mike Rapoport <rppt@kernel.org>
Link: https://lore.kernel.org/r/20240402132701.29744-3-richard.weiyang@gmail.com
Signed-off-by: Mike Rapoport (IBM) <rppt@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Apply the same logic that Qualcomm uses on their 5.15 kernel_platform
build scripts, as seen in commit e10f5dc.
As a sidenote, passing DTC_FLAGS externally is not an option since it
overrides any other flags set by the kernel makefile.
It causes this issue with the Android build system:
out/soong/.intermediates/vendor/lineage/build/soong/generated_kernel_includes/ge
n/usr/include/asm/sigcontext.h:53:2: error: unknown type name '__uint128_t'
__uint128_t vregs[32];
^
Change-Id: Ia4cf9c0e2b6a32550ec6c4398139838add0b24a1
* This prevents inclusion of drivers/staging/greybus/tools/Android.mk
which will conflict in case we have more than 1 kernel tree in AOSP
source dir.
Change-Id: I335bca7b6d6463b1ffc673ab5367603347516e13
When slave is in sleep q2spi host transfer will fail with GSI
start sequence failure. In this scenario two events reported from
GSI channel error and TX dma completion event 0x22. Since GSI
reports these events separately if start sequence fail is not
processed before channel error gpi_q2spi_terminate_all is called twice
and leading to GSI failures.
Ensure Channel errors in GSI recover path are handled sequentially
only after START sequence fail is processed.
Change-Id: Ie85528b6354241153330c403ba026c5006d5c78e
Signed-off-by: Chandana Kishori Chiluveru <quic_cchiluve@quicinc.com>
